oss-sec mailing list archives
Re: please verify unusual x.509 constraints are handled
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Wed, 27 Jun 2012 15:39:51 +0200
Tavis Ormandy wrote:
List, just an FYI, I've noticed a Korean CA appears to always set the cA bit in the X.509 basicContraints, then uses pathLenConstraint and keyUsage bits to restrict the results. [...] While arguably the X.509 specifications permit this, I find it hard to believe that these bits are checked consistently by all implementations. AFAICT, GnuTLS does not check these constraints, but OpenSSL does.
One thing I always wonder when x509 certificates come into play is where to draw the line between missing feature and vulnerability. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Current thread:
- please verify unusual x.509 constraints are handled Tavis Ormandy (Jun 27)
- Re: please verify unusual x.509 constraints are handled Ludwig Nussel (Jun 27)